- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to retrieve top 20 errors from all applica...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to retrieve top 20 errors from all application logs
All my application logs are 'indexed' as 'customer'_application. The below shows all my Events just fine
index = *_application sourcetype = * source = * host = *
The below shows all my errors/Errors in all the Events just fine
index = *_application sourcetype = * source = * host = * error
I know that error is not a field and it must be extracted first . Unfortunately I haven't succeeded with that.
Please note that all the different application-logs are not constructed (build) in the same way. The below gives me basically the desired setup, except that the 'error' message itself is missing.
index=*_application sourcetype=* source=* host=* Error | top limit=20 host sourcetype source
Is it even possible to achieve this or is certain log pattern (structure) a must. If this would be possible, how?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi edwinmae,
I think that It is normal that the error message is missing ,because your results (index=*_application sourcetype=* source=* host=* Error | top limit=20 host sourcetype source) displayed in the form of table. you can click on Events tab to review
error in events.
Assure you that you are in Verbose mode before run your search query.
So no problem! Your result matches the events that contain the error message.
Note: Although all the different application-logs are not constructed in the same way, you can extract individually " error" message in each application and then use the tag concept to name them the same way .
Link for tag concept:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Defineandusetags
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all --- Thanks for your quick response
The below gives me the desired output, except for the message itself
index=_application sourcetype= source=* host=* Error | top limit=20 host sourcetype source
I am able to see the log 'messages/events' (with Error) by clicking on the 'log-file (links)' listed under sourcetype (after the search), but I would like to have have an additional column like 'message' that shows me (only) the errors that occured most.
index=*_application sourcetype=* source=* host=* Error | top limit=20 host sourcetype source message
I know there is no field like message; I tried to get the errors listed with rex but was unsuccessful to achieve this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Although all the different application-logs are not constructed in the same way, you can extract individually " error" message in each application and then use the tag concept to name them the same way .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case, you will give message like the name of your tag
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is because you search through many application-logs.
Follow link to have information about tag:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Defineandusetags
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
